[nycphp-talk] Data encryption on ISP server
Flavio daCosta
nyphp at n0p.net
Sat Jun 25 11:43:02 EDT 2005
> On 6/24/05, Flavio daCosta <nyphp at n0p.net> wrote:
>3) New user setup would be a manual process to get the initial
>(unencrypted) passphrase encrypted with their password.
On 06/25/2005 11:06 AM, csnyder wrote:
> But that's a good thing. If just anyone could come along a register as
> a new user, then an attacker with shell access could just register and
> then use his password to decrypt the passphrase, game over.
I guess you are right, it's not really a caveat (more like a feature ;).
It also wouldn't need to be as manual as I first thought. The person
with the Authorization to create accounts would be able to encrypt the
new users first password during setup seeing as they all ready have the
un-encrypted db passphrase (from their password.)
Flavio
More information about the talk
mailing list